Aula 15 Ay W 44 Fls

KeyW
Corporation Suite B Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy

Advanced Cyber Operations Sector KXD002
Suite B Cryptographic Module

FIPS 140-2 Non-Proprietary Security Policy

Revision: 1.2

Prepared by: KeyW Corporation
7880 Milestone Parkway
Suite 100
Hanover, MD 21076
410-904-5200 Phone
410-799-3479 Fax

KeyW Corporation Suite B Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy

Contents
Revision History ............................................................................................................................................ 4
Acronyms ...................................................................................................................................................... 5
1. Introduction .......................................................................................................................................... 7
1.1. Identification .................................................................................................................................. 7
1.2. Overview ........................................................................................................................................ 7
1.3. FIPS 140-2 Security Levels .............................................................................................................. 7
2. Suite B Cryptographic Module .............................................................................................................. 8
2.1. Cryptographic Module Specification .............................................................................................. 8
2.1.1. Security Functions ................................................................................................................... 8
2.1.2. Modes of Operation .............................................................................................................. 13
2.1.3. Cryptographic Boundary ....................................................................................................... 13
2.1.4. Determining Module Version ................................................................................................ 14
2.2. Cryptographic Module Ports and Interfaces ................................................................................ 14
2.3. Roles, Services, and Authentication ............................................................................................. 14
2.3.1. Roles ...................................................................................................................................... 14
2.3.2. Services ................................................................................................................................. 15
2.3.3. Authentication ...................................................................................................................... 27
2.4. Finite State Model ........................................................................................................................ 27
2.5. Physical Security ........................................................................................................................... 27
2.6. Operational Environment ............................................................................................................ 28
2.7. Cryptographic Key Management ................................................................................................. 28
2.7.1. Key Zeroization ...................................................................................................................... 36
2.8. Electromagnetic Interference and Compatibility ......................................................................... 36
2.9. Self-Tests ...................................................................................................................................... 37
2.9.1. Invoking Self-Tests ................................................................................................................ 41
2.9.2. Self-Tests Results .................................................................................................................. 41
2.10. Design Assurance ....................................................................................................................... 42
2.11. Mitigation of Other Attacks ....................................................................................................... 42
3. Referenced Documents ....................................................................................................................... 43

Page 2 of 44


Tables and Figures
Table 1 – Summary of Achieved FIPS 140-2 Security Levels ......................................................................... 7
Table 2 – FIPS-Approved and Vendor-Affirmed Security Functions ........................................................... 12
Table 3 – FIPS Non-Approved but Allowed Security Functions .................................................................. 12
Figure 1 – Module Cryptographic Boundary .............................................................................................. 13
Table 4 – Module Logical Interfaces ........................................................................................................... 14
Table 5 – Module Services for Cryptographic Officer Role ......................................................................... 15
Table 6 – Module Services for User Role .................................................................................................... 27
Table 7 – Module Authentication ............................................................................................................... 27
Table 8 – Operational Environments .......................................................................................................... 28
Table 9 – Module Cryptographic Keys and Critical Security Parameters ................................................... 36
Table 10 – Module Power-On Self-Tests .................................................................................................... 40
Table 11 – Module Conditional Self-Tests .................................................................................................. 41
Table 12 – Module Self-Test Error Codes ................................................................................................... 42

Page 3 of 44


Revision History
Revision Date Author Changes
1.2 February 9, 2017 A. Seaman Revised: Section 2.1.1, Section 2.1.1.1,
D. Mackie Figure 1, and Table 9
C. Constantinescu
D. Brown
1.1 January 6, 2017 A. Seaman Added Security Functions
D. Mackie
C. Constantinescu
D. Brown
1.0 July 11, 2014 R. Glenn Initial Release
D. Mackie
C. Constantinescu
D. Wolff
E. Hufford
Page 4 of 44


Acronyms
AAD Additional Authentication Data
AES Advanced Encryption Standard
AESAVS Advanced Encryption Standard Algorithm Validation Suite
ANS American National Standard
API Application Programming Interface
CAVP Cryptographic Algorithm Validation Program
CBC Cipher Block Chaining
CDH Cofactor Diffie-Hellman
CM Cryptographic Module
CMAC CBC Message Authentication Code
CMACVS CBC Message Authentication Code Validation System
CSP Critical Security Parameters
CT Ciphertext
CTR Counter
CVL Component Validation List
DAR Data At Rest
DEP Default Entry Point
DIT Data In Transit
DKM Derived Keying Material
DLL Dynamic Link Library
DOC Department of Commerce
DPI Double-Pipeline Iteration
DPK Data Protection Key
DRBG Deterministic Random Bit Generator
DUNS Data Unit Sequence Number
EC Elliptic Curve
ECB Electronic CodeBook
ECC Elliptic Curve Cryptography
ECDH Elliptic Curve Diffie-Hellman
ECDSA Elliptic Curve Digital Signature Algorithm
ECDSA2VS Elliptic Curve Digital Signature Algorithm Validation System
EMC Electromagnetic Compatibility
EMI Electromagnetic Interference
FB Feedback
FFC Finite Field Cryptography
FIPS Federal Information Processing Standard
FSM Finite State Model
GCM Galois/Counter Mode
GCMVS Galois/Counter Mode Validation System
GMAC Galois Message Authentication Code
GPC General-purpose Computer
HMAC Keyed-hash Message Authentication Code
HMACVS Keyed-hash Message Authentication Code Validation System
I/O Input/Output
IAW In Accordance With
IETF Internet Engineering Task Force
IV Initialization Vector
KAS Key Agreement Scheme
KASVS Key Agreement Schemes Validation System
KAT Known Answer Test
KBKDF Key-Based Key Derivation Function
KBKDFVS Key-Based Key Derivation Function Validation System
KC Key Confirmation
KDF Key Derivation Function
Page 5 of 44


KW Key Wrap
KWP Key Wrap With Padding
KWVS Key Wrap Validation System
LED Light Emitting Diode
MAC Message Authentication Code
MK Master Key
MQV Menezes-Qu-Vanstone
NIST National Institute of Standards and Technology
OS Operating System
PBKDF Password-Based Key Derivation Function
PKV Public Key Validation
POST Power-On Self-Test
PRF Pseudo-Random Function
PT Plaintext
RAM Random Access Memory
RBG Random Bit Generator
RFC Request For Comments
S/MIME Secure/Multipurpose Internet Mail Extensions
SHA Secure Hash Algorithm
SHAVS Secure Hash Algorithm Validation System
SHS Secure Hash Standard
SO Shared Object
SP Special Publication
SSL Secure Sockets Layer
TLS Transport Layer Security
USB Universal Serial Bus
USSOCOM United States Special Operations Command
VS Validation Specification
XTS XEX Tweakable Block Cipher with Ciphertext Stealing
XTSVS XTS Validation System

Page 6 of 44


1. Introduction
1.1. Identification
The following information identifies this document:

• Title: Suite B Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy
• Version: 1.2
1.2. Overview
KeyW Corporation, in coordination with the United States Special Operations Command (USSOCOM),
has developed a Federal Information Processing Standard (FIPS) 140-2 Level 1 validated, standards-
based Suite B Cryptographic Module that provides an advanced layer of encrypted Data In Transit (DIT)
communications and Data At Rest (DAR) encryption via an Application Programming Interface (API).
The Suite B Cryptographic Module, hereafter collectively referred to as the Module, operates as one of
several layers of platform encryption. The platform encryption can be invoked automatically when the
Module is initialized, providing an additional layer of encryption and obfuscation above the Module.
Additional encryption at the application layer can be added by enabling S/MIME encryption on emails,
content protection encryption on shared data, and SSL/TLS encryption on web traffic.
1.3. FIPS 140-2 Security Levels

The Module meets the overall requirements applicable to Level 1 security for FIPS 140-2 as shown in the
table below:
# FIPS 140-2 Section Level

2.1 Cryptographic Module Specification 1
2.2 Cryptographic Module Ports and Interfaces 1
2.3 Roles, Services, and Authentication 1
2.4 Finite State Model 1
2.5 Physical Security N/A
2.6 Operational Environment 1
2.7 Cryptographic Key Management 1
2.8 EMI/EMC 1
2.9 Self-Tests 1
2.10 Design Assurance 1
2.11 Mitigation of Other Attacks N/A
Overall Level 1
Table 1 – Summary of Achieved FIPS 140-2 Security Levels

Page 7 of 44


2. Suite B Cryptographic Module
The Module meets the requirements of the FIPS 140-2 Security Level 1 specification and provides the
following cryptographic services:

• Data encryption and decryption
• Key encryption and decryption
• Message digest and authentication code generation
• Digital signature generation and verification
• Elliptic curve key agreement
• Key derivation
2.1. Cryptographic Module Specification

2.1.1. Security Functions
The Module is implemented entirely in software and contains the following FIPS-approved and FIPS non-
approved, but allowed security functions:

CAVP CAVP
Algorithm Use Specification Mode / Key Size
Specification Certificate
AES Block Cipher FIPS NIST SP 800- ECB-128 AESAVS, Nov #3328
197, 38A, Dec ECB-192 2002 (Ref.
Nov 2001 (Ref. ECB-256 [16])
2001 [2]) CBC-128 #4312
(Ref. CBC-192
[1]) CBC-256
NIST SP 800- CMAC-128 CMACVS, #4312
38B, May CMAC-192 Aug 2011
2005 (Ref. CMAC-256 (Ref. [17])
[3])
NIST SP 800- GCM-128 GCMVS, Aug #3328
38D, Nov GMAC-128 2012 (Ref.
2007 (Ref. GCM-192 [18])
[4]) GMAC-192
GCM-256
GMAC-256
NIST SP 800- XTS-128 XTSVS, Sep #3328
38E, Jan 2010 XTS-256 2013 (Ref.
(Ref. [5]) [19])
Key Storage NIST SP 800- KW-128 KWVS, Jun #3328
38F, Dec KW-192 2014 (Ref.
2012 (Ref. KW-256 [20])
[6])
IETF RFC KWP-128 #3328
5649, Aug KWP-192
2009 (Ref. KWP-256
[7])
Page 8 of 44


CAVP CAVP
SHA Secure Hashing FIPS 180-4, Aug 2015 SHA-1 (SHA-160) SHAVS, May #2761
(Reference [8]) SHA-224 2014 (Ref.
SHA-256 [21])
SHA-384
SHA-512
SHA-512/224
SHA-512/256
CMAC Message NIST SP 800-38B, AES-128 CMACVS, #4312
Authentication May 2005 (Ref. [3]) AES-192 Aug 2011
AES-256 (Ref. [17])
GMAC NIST SP 800-38D, Nov AES-128 GCMVS, Aug #3328
2007 (Ref. [4]) AES-192 2012 (Ref.
AES-256 [18])
HMAC FIPS 198-1, July 2008 SHA-1 (SHA-160) HMACVS, #2119
(Reference [9]) SHA-224 July 2012
SHA-256 (Ref. [22])
SHA-384
SHA-512
SHA-512/224
SHA-512/256
ECDSA Digital FIPS 186-4, July 2013 P-192 SHA-1 ECDSA2VS, #657
Signature (Reference [12]) (SHA-160) Mar 2014
SHA-224 (Ref. [24])
Per NIST SP SHA-256
800-131A, P- SHA-384
192 and SHA-1 SHA-512
are no longer SHA-512/224
considered
SHA-512/256
secure and
P-224 SHA-1
shall not be
(SHA-160)
used to
generate digital SHA-224
signatures SHA-256
(Ref. [14]). SHA-384
SHA-512
SHA-512/224
SHA-512/256
P-256 SHA-1
(SHA-160)
SHA-224
SHA-256
SHA-384
SHA-512
SHA-512/224
Page 9 of 44


CAVP CAVP
SHA-512/256
P-384 SHA-1
(SHA-160)
SHA-224
SHA-256
SHA-384
SHA-512
SHA-512/224
SHA-512/256
P-521 SHA-1
(SHA-160)
SHA-224
SHA-256
SHA-384
SHA-512
SHA-512/224
SHA-512/256
ECC KAS Key NIST SP 800-56A Rev FullUnified KC EB KASVS, May #55
Establishment 2, May 2013 P-224, SHA-224 2014 (Ref.
(Reference [15]) FullUnified KC EC [25])
P-256, SHA-256
FullUnified KC ED
P-384, SHA-384
FullUnified KC EE
P-521, SHA-512
FullMQV KC EB
P-224, SHA-224
FullMQV KC EC
P-256, SHA-256
FullMQV KC ED
P-384, SHA-384
FullMQV KC EE
P-521, SHA-512
ECC CDH Shared Secret NIST SP 800-56A Rev P-224 KASVS, May #484
Primitive Establishment 2, May 2013 P-256 2014 (Ref. (CVL)
(Reference [15], P-384 [25])
Section 5.7.1.2) P-521
KBKDF- Key Derivation NIST SP 800-108, Oct CTR CMAC-AES- KBKDFVS, Jan #116
CMAC 2009 (Reference 128 2016 (Ref.
[10]) CMAC-AES- [23])
192
CMAC-AES-
256
Page 10 of 44


CAVP CAVP
FB CMAC-AES-
128
CMAC-AES-
192
CMAC-AES-
256
DPI CMAC-AES-
128
CMAC-AES-
192
CMAC-AES-
256
KBKDF- Key Derivation NIST SP 800-108, Oct CTR HMAC-SHA-1 KBKDFVS, Jan #116
HMAC 2009 (Reference (SHA-160) 2016 (Ref.
[10]) HMAC-SHA- [23])
224
HMAC-SHA-
256
HMAC-SHA-
384
HMAC-SHA-
512
FB HMAC-SHA-1
(SHA-160)
HMAC-SHA-
224
HMAC-SHA-
256
HMAC-SHA-
384
HMAC-SHA-
512
DPI HMAC-SHA-1
(SHA-160)
HMAC-SHA-
224
HMAC-SHA-
256
HMAC-SHA-
384
HMAC-SHA-
512
PBKDF Key Derivation NIST SP 800-132, Dec HMAC-SHA-1 VS not yet Vendor-
2010 (Reference (SHA-160) available as Affirmed
[11]) HMAC-SHA-224 of Jan. 2017
Page 11 of 44


CAVP CAVP
HMAC-SHA-256
See Section 2.1.1.1. HMAC-SHA-384
HMAC-SHA-512
Table 2 – FIPS-Approved and Vendor-Affirmed Security Functions
CAVP CAVP
N/A N/A N/A N/A N/A N/A
Table 3 – FIPS Non-Approved but Allowed Security Functions
2.1.1.1. NIST SP 800-132 Password-Based Key Derivation Function (PBKDF)

Per NIST SP 800-132, Recommendation for Password-Based Key Derivation, December 2010 (Reference
[11]), the calling application is responsible for selecting which option is used to derive the Data
Protection Key (DPK) from the Master Key and shall only use keys derived from passwords in storage
applications. The Module API restricts the calling application to select a password/passphrase that is at
least 10 characters long in accordance with the guidelines in NIST SP 800-63-2, Electronic Authentication
Guideline, August 2013 (Reference [26]) and NIST SP 800-118, Guide to Enterprise Password
Management (Draft), April 2009 (Reference [27]). Acceptable values of other parameters used in key
derivation are detailed below.
PROTOTYPE: t_STATUS PBKDF(U8 *MK, U32 MKbytes, const U8 *Pswd, U32 Pbytes,
const U8 *Salt, U32 Sbytes, U32 Icount);

ARGUMENTS: MK = pointer to a byte string representing the output (derived) master key
MKbytes = length of derived master key, in bytes
Pswd = input password, a byte string
Pbytes = password length (at least 10 bytes)
Salt = input diversification value, a byte string
Sbytes = Salt length (at least 16 bytes)
Icount = a large iteration count (determines how many HMAC iterations are used to
generate one block of the MK)

RETURNS: SUCCESS if all input parameters are valid
FAILURE otherwise

LIMITATIONS: MKbytes >= 14
Pbytes >= 10
Sbytes >= 16
Icount >= 1000
The Counter value should fit into one byte (i.e. MKbytes / DigestLenB < 256)
DESCRIPTION:
Implements the Password-Based Key Derivation Function (PBKDF), IAW NIST SP 800-132 (Reference
[11]). An appropriate SHA environment (SHA-1, SHA-224, SHA-256, SHA-384 or SHA-512) must be
Page 12 of 44


selected in advance using SHA_TypeSelect(). There is neither a Validation System in place, nor sample
test vectors published by CAVP for the PBKDF algorithm, as of January 2017.
2.1.2. Modes of Operation

The Module must be installed on the FIPS 140-2 certified operational environment listed in Section 2.6
manually, and once installed it runs all algorithms in FIPS-approved mode since it is explicitly compiled
to only run in FIPS-approved mode. There are no algorithms or “expanded” cryptographic modes within
the Module that are not FIPS-approved as listed in Table 2 when calling security functions in the Module
API.
The operational environment on which the Module runs shall be configured for FIPS mode when using a
FIPS-approved platform-provided Deterministic Random Bit Generator (DRBG) in the following ways:
• Windows Server OS: Enable the FIPS compliant algorithms mode via the Local Security Policy to
guarantee the Module generates FIPS-validated random bytes.
• BlackBerry OS: The Module confines its method calls to only those that have been FIPS-
approved to guarantee generating FIPS-validated random bytes.
2.1.3. Cryptographic Boundary

The physical boundary of the Module is the physical boundary of the operational environment hardware
device that executes the Module as shown in the following figure. The following figure depicts a FIPS-
approved DRBG that is provided by the operational environment cryptographic Module listed in Section
2.6 and therefore the Module is bound to either the Windows Server OS cryptographic Module or
BlackBerry OS cryptographic Module.

Figure 1 – Module Cryptographic Boundary
Page 13 of 44


2.1.4. Determining Module Version
The operator may determine the version of the Module by performing the following steps:

Dynamic Link Library (DLL) Module Version

1. On Windows, right-click the KEYWcryptoModule.dll file and select view Properties
2. Select Details tab
3. The File version property displays the KEYWcryptoModule version as v3.0.0.0

Shared Object (SO) Module Version

1. On BlackBerry, run the following console command:
objdump -p libKEYWcryptoModule.so.3 | grep SONAME
2. The console displays the KEYWcryptoModule version as v3
2.2. Cryptographic Module Ports and Interfaces

The Module ports correspond to the physical ports of the operational environment hardware device
that executes the Module:

• USB devices [keyboard and mouse]
• Video devices [monitors, screens, camera, and LED]
• Optical drives
• Audio devices [speakers, headset, and microphone]
• Network devices [Ethernet and Wireless adapters]
• Battery and power adapter

The Module interfaces correspond to the Module API, which do not interface across any of the physical
ports of the operational environment. The following table describes the Module logical interfaces.
FIPS 140-2 Interface Logical Interface

Data Input Input parameters of Module constructors
and function calls.
Data Output Output parameters of Module function
calls and return values.
Control Input Module function calls.
Status Output Return codes of Module function calls.
Table 4 – Module Logical Interfaces
2.3. Roles, Services, and Authentication
2.3.1. Roles
The Module supports a Cryptographic Officer and User role. The Module does not support a
maintenance role. The Module does not support multiple or concurrent operators and is intended for
use by a single operator, thus it always operates in a single-user mode of operation.
Page 14 of 44


2.3.2. Services
The services described in the following tables are available to the operator roles:

Cryptographic Officer Role
Service Description Input/Output Return
Load Module Performs Module [in]: DLL/SO binary path Pass/Fail
initialization implicitly by the [out]: VOID
operational environment.
Power-On Self-Test Performs software integrity [in]: DLL/SO binary path, Pass/Fail
(POST) and cryptographic self-tests DLL/SO checksum path
implicitly upon Module load. [out]: VOID
Zeroize Performs HMAC Integrity [in]: HMAC Integrity VOID
Checksum and Key Checksum, HMAC Integrity
zeroization implicitly after Check Key
Module POST pass/fail. The [out]: VOID
HMAC Integrity Checksum
and Key may also be zeroized
by power-cycling the
operational environment and
reloading the Module.
Unload Module Performs Module destruction [in]: VOID VOID
implicitly by the operational [out]: VOID
environment.
Table 5 – Module Services for Cryptographic Officer Role

User Role
Run Self Tests Performs cryptographic self- [in]: VOID Pass/Fail
tests for the Module. [out]: VOID
CM Show Title Gets title info for the Module. [in]: VOID Title Info
[out]: VOID
Version Info Gets version info for the [in]: VOID Version Info
Module. [out]: VOID
Self Tests Get cryptographic self-tests [in]: VOID Duration
Duration duration for the Module. [out]: VOID
AES Construct Constructs an AES object. [in]: AES bit mode, AES key AES object
[out]: VOID
Check Encrypt Verifies integrity of [in]: VOID Pass/Fail
/ Decrypt encryption/decryption tables. [out]: VOID
Tables
ReKey Rekeys an AES object with [in]: AES bit mode, AES key Pass/Fail
alternate AES key. [out]: VOID
ECB Encrypt Encrypts PT data. [in]: PT buffer, PT block length VOID
[out]: CT buffer
ECB Decrypt Decrypts CT data. [in]: CT buffer, PT block length VOID
[out]: PT buffer
CBC Encrypt Encrypts PT data. [in]: PT buffer, IV, PT block VOID
Page 15 of 44


User Role
length
[out]: CT buffer
CBC Decrypt Decrypts CT data. [in]: CT buffer, IV, PT block VOID
length
[out]: PT buffer
CMAC Generates a Message [in]: PT data, PT length VOID
Generate Authentication Code (MAC). [out]: CMAC buffer, CMAC
length
Key Wrap Encrypts PT keys. [in]: PT key buffer, PT length, VOID
Encrypt Inverse cipher flag
[out]: CT key buffer
Key Wrap Decrypts CT keys. [in]: CT key buffer, CT length, Pass/Fail
Decrypt Inverse cipher flag
[out]: PT key buffer
KDF Generates a derived key. [in]: Label/IV, Label length, Pass/Fail
CTR/FB/DPI Context, Context length,
Counter length, Counter
location
[out]: Derived key, Derived
key length
Destruct Zeroizes AES key. [in]: VOID VOID
[out]: VOID
GCM Construct Constructs a GCM object. [in]: AES bit mode, AES key GCM object
[out]: VOID
ReKey Rekeys a GCM object with [in]: AES bit mode, AES key Pass/Fail
alternate AES key. [out]: VOID
Encrypt Encrypts PT data. [in]: Tag length, IV, IV length, Pass/Fail
PT buffer, PT length, AAD,
AAD length
[out]: CT buffer, Tag
Decrypt Decrypts CT data. [in]: Tag, Tag length, IV, IV Pass/Fail
length, CT buffer, CT length,
AAD, AAD length
[out]: PT buffer
GMAC Generates a Message [in]: Tag length, IV, IV length, Pass/Fail
Encrypt Authentication Code (MAC). AAD, AAD length
[out]: Tag
GMAC Validates a Message [in]: Tag, Tag length, IV, IV Pass/Fail
Decrypt Authentication Code (MAC). length, AAD, AAD length
[out]: VOID
GCM Destruct Zeroizes AES key and hash [in]: VOID VOID
key table. [out]: VOID
XTS Construct Constructs an XTS object. [in]: AES bit mode, ECB key, XTS object
Tweak key, DUNS or Tweak
value
Page 16 of 44


User Role
[out]: VOID
ReKey Rekeys an XTS object with [in]: AES bit mode, ECB key, Pass/Fail
alternate AES key. Tweak key, DUNS or Tweak
value
[out]: VOID
Encrypt Encrypts PT data. [in]: AES bit mode, PT buffer, Pass/Fail
Sector bit length, ECB key,
value
[out]: CT buffer
Decrypt Decrypts CT data. [in]: AES bit mode, CT buffer, Pass/Fail
Sector bit length, ECB key,
value
[out]: PT buffer
Destruct Zeroizes AES key and tweak [in]: VOID VOID
value. [out]: VOID
ECC Construct Constructs an ECC object. [in]: EC type, SHA type ECC object
[out]: VOID
Type Select Changes the EC and SHA [in]: EC type, SHA type Pass/Fail
types. [out]: VOID
Check Params Verifies EC parameters. [in]: VOID Pass/Fail
[out]: VOID
Is Point Affine Determines if point is an [in]: EC Affine Point Pass/Fail
affine coordinate. [out]: VOID
Is Point Valid Determines if point has [in]: EC Affine Point Pass/Fail
correct order. [out]: VOID
Projectify Converts affine point to [in]: EC Affine Point VOID
projective point. [out]: EC Projective Point
Affinify Converts projective point to [in]: EC Projective Point Pass/Fail
affine point. [out]: EC Affine Point
Compress Converts affine point to [in]: EC Affine Point VOID
compressed point. [out]: EC Compressed Point
Decompress Converts compressed point [in]: EC Compressed Point Pass/Fail
to affine point. [out]: EC Affine Point
Double Affine Doubles an affine point. [in]: EC Affine Point VOID
[out]: EC Affine Point
Double Doubles a projective point. [in]: EC Projective Point VOID
Projective [out]: EC Projective Point
Double Doubles a projective point in- [inout]: EC Projective Point VOID
Projective place.
Add Affine Adds affine points. [in]: EC Affine Point, EC Affine VOID
Point
Add Adds projective points. [in]: EC Projective Point, EC VOID
Page 17 of 44


User Role
Projective Projective Point
[out]: EC Projective Point

Multiply Multiplies affine point by a [in]: Scalar, EC Affine Point Pass/Fail
scalar. [out]: EC Affine Point
Multiply Base Multiplies EC Base Point by a [in]: Scalar Pass/Fail
scalar. [out]: EC Affine Point
Double Multiplies two affine points [in]: Scalar, EC Affine Point, Pass/Fail
Multiply by two scalars. Scalar, EC Affine Point
ECDSA Public Computes the public ECDSA [in]: Private Key Pass/Fail
Key Gen key. [out]: EC Public Affine Point
ECDSA Computes the ECDSA [in]: Message, Message Pass/Fail
Signature Gen signature. length, Private Key, Ephemeral
Key
[out]: R component, S
component
ECDSA Verifies the ECDSA signature. [in]: Message, Message Pass/Fail
Signature length, R component, S
Check component, EC Public Affine
Point
[out]: VOID
ECDSA Verifies the ECDSA signature. [in]: Message, Message Pass/Fail
Signature length, R component, S
Check Private component, Private Key
[out]: VOID
Destruct Zeroizes ECC buffers. [in]: VOID VOID
[out]: VOID
FFC Construct Constructs a FFC object. [in]: VOID FFC Object
[out]: VOID
Ext Dec 2 Hex Converts an extended [in]: Decimal string buffer Pass/Fail
precision ("big") number [out]: Word buffer, Word
from decimal to binary buffer length
(hexadecimal).
Ext Hex 2 Dec Converts an extended [in]: Word buffer, Word buffer VOID
precision ("big") number length
from binary (hexadecimal) to [out]: Decimal string buffer
decimal.
Ext Compare Compares word buffers. [in]: Buffer A, Buffer B, Buffer 1: a == b
A/B length 2: A > B
[out]: VOID 4: A < B
Ext Mod Reduces the a-operand [in]: a-operand, a length, n- VOID
modulo the n-operand. operand, n length
[out]: x-operand
Ext Add Multi-precision Add routine [in]: a-operand, b-operand, Final carry bit
Page 18 of 44


User Role
for unsigned integers. a/b/x length
[out]: x-operand
Ext Add Multi-precision Add routine [in]: b-operand, b/x length Final carry bit
for unsigned integers. [inout]: x-operand
Ext Subtract Multi-precision Subtract [in]: a-operand, b-operand, Final borrow
routine for unsigned integers. a/b/x length bit
[out]: x-operand
Ext Subtract Multi-precision Subtract [in]: b-operand, b/x length Final borrow
routine for unsigned integers. [inout]: x-operand bit
Ext Add Multi-precision Add routine [in]: b-operand, b/x length Final carry
Immed of a single-precision, signed [inout]: x-operand
integer to a multi-precision
unsigned integer.
Ext Mod Add Multi-precision modular Add [in]: a-operand, b-operand, n- VOID
routine for unsigned integers. operand, a/b/n/x length
[out]: x-operand
Ext Mod Add Multi-precision modular Add [in]: b-operand, n-operand, VOID
routine for unsigned integers. b/n/x length
[inout]: x-operand
Ext Mod Multi-precision modular [in]: a-operand, b-operand, n- VOID
Subtract Subtract routine for unsigned operand, a/b/n/x length
integers. [out]: x-operand
Ext Mod Multi-precision modular [in]: b-operand, n-operand, VOID
Subtract Subtract routine for unsigned b/n/x length
integers. [inout]: x-operand
Ext Mod Add Modular Add routine of a [in]: b-operand, n-operand, VOID
Immed single-precision, signed b/n/x length
integer to a multi-precision [inout]: x-operand
unsigned integer.
Ext Shift Left Multi-precision 1-bit Left Shift [in]: a-operand, Carry bit, a/x Final carry
routine for unsigned integers. length
[inout]: x-operand
Ext Shift Left Multi-precision 1-bit Left Shift [in]: x length Final carry
routine for unsigned integers. [inout]: x-operand
Ext Mod Shift Performs a modular addition [in]: a-operand, n-operand, VOID
Left of a long number to itself. a/n/x length
[out]: x-operand
Ext Mod Shift Performs a modular addition [in]: n-operand, n/x length VOID
Left of a long number to itself. [inout]: x-operand
Ext Shift Right Multi-precision 1-bit Right [in]: a-operand, a/x length VOID
Shift routine for unsigned [out]: x-operand
integers.
Ext Shift Right Multi-precision 1-bit Right [in]: x length VOID
Shift routine for unsigned [inout]: x-operand
integers.
Page 19 of 44


User Role
Ext Mod Shift Multi-precision modular [in]: n-operand, n/x length VOID
Right divide-by-2 routine for [inout]: x-operand
unsigned integers.
Ext Shift Var Multi-precision, multi-bit Left [in]: a-operand, signed shift VOID
or Right Shift routine for count, a/x length
unsigned integers. [out]: x-operand
Ext Shift Var Multi-precision, multi-bit Left [in]: signed shift count, x VOID
or Right Shift routine for length
unsigned integers. [inout]: x-operand
Ext Bin Mod Performs modular inversion [in]: a-operand, n-operand, VOID
Inverse 1/a with respect to a a/n length
modulus n (usually a prime [out]: a-inverse-result
number) in multiple precision
arithmetic.
Ext Bin Mod Performs modular division [in]: b-operand, a-operand, n- VOID
Divide b/a with respect to a operand, b/a/n length
modulus n (usually a prime [out]: ba-dividend-result
arithmetic.
Ext Bin Mod Performs modular inversion [in]: a-operand, n-operand, VOID
Inverse v2 1/a with respect to a a/n length
arithmetic.
Ext Multiply Multi-precision multiplication [in]: a-operand, b-operand, VOID
routine for unsigned integers a/b/x length
of the same size. [out]: x-operand
Ext Multiply Multi-precision multiplication [in]: a-operand, a length, b- VOID
routine for unsigned integers operand, b length
of different sizes. [out]: x-operand
Ext Mod Multi-precision modular [in]: a-operand, b-operand, n- VOID
Multiply Multiply routine for unsigned operand, a/b/n/x length
Ext Square Multi-precision squaring [in]: a-operand, a length VOID
routine for unsigned integers. [out]: x-operand
Ext Mod Multi-precision modular [in]: a-operand, n-operand, VOID
Square squaring routine for unsigned a/n/x length
Ext Divide Multi-precision division [in]: a-operand, a length, n- VOID
routine for unsigned integers. operand, n length
[out]: q-operand, r-operand
Ext Mod Performs modular inversion [in]: a-operand, n-operand, VOID
Inverse 1/a with respect to a a/n length
Page 20 of 44


User Role
arithmetic.
Ext Mod Performs modular division [in]: b-operand, a-operand, n- VOID
Divide b/a with respect to a operand, b/a/n length
modulus n (usually a prime [out]: ba-dividend-result
arithmetic.
Ext Sqrt Multi-precision square-root [in]: a-operand, a length Pass/Fail
routine for unsigned integers. [out]: sqrt-result
Ext Sqrt v0 Multi-precision square-root [in]: a-operand, a length Pass/Fail
Ext Sqrt v1 Multi-precision square-root [in]: a-operand, a length Pass/Fail
Find n0 Prime Computes the Montgomery [in]: LSW of modulus Montgomery
arithmetic parameter n0'. [out]: VOID arithmetic
parameter
Mont Image Computes the Montgomery [in]: a-operand, n-operand, VOID
v0 Image (aM) of an unsigned a/n/x length
integer a with respect to a [out]: x-operand
modulus n.
Mont Image Computes the Montgomery [in]: a-operand, n-operand, VOID
Image (aM) of an unsigned a/n/x length
integer a with respect to a [out]: x-operand
modulus n.
Mont Prod Multi-precision Montgomery [in]: a-operand, b-operand, n- VOID
Product routine for unsigned operand, LSW of modulus,
integers. a/b/n/x length
[out]: x-operand
Mont Square Multi-precision Montgomery [in]: a-operand, n-operand, VOID
Squaring routine for unsigned LSW of modulus, a/n/x length
Rev Mont This function converts a [in]: a-operand, n-operand, VOID
Image multi-precision integer from LSW of modulus, a/n/x length
Montgomery representation [out]: x-operand
to binary (normal)
representation.
Mont Exp Multi-precision Montgomery [in]: b-operand, e-operand, e VOID
Exponentiation routine for length, n-operand, b/n length
unsigned integers. [out]: x-operand
Mont Mod Computes a_inv = 1/aop [in]: a-operand, n-operand, VOID
Inverse (mod nop) using Fermat's a/n length
Little Theorem. [out]: a-inverse-result
Mont Mod Computes the square root of [in]: a-operand, n-operand, Pass/Fail
Sqrt a multi-precision operand (a) a/n length
modulo a prime modulus (n). [out]: a-sqrt-result
Barrett Calculates the modulus- [in]: n-operand, n/x length VOID
Page 21 of 44


User Role
Inverse dependent quantity. [out]: x-operand
Barrett Mod Multi-precision modular [in]: a-operand, b-operand, n- VOID
Multiply multiplication routine for operand, u-operand, a/b/n/x
unsigned integers. length
[out]: x-operand
Barrett Exp Multi-precision [in]: b-operand, e-operand, e VOID
exponentiation routine for length, n-operand, u-operand,
unsigned integers. b/n length
[out]: x-operand
Barrett Mod Computes a_inv = 1/aop [in]: a-operand, n-operand, VOID
Inverse (mod nop) using Fermat's a/n length
Little Theorem. [out]: a-inverse-result
Barrett Mod Computes the square root of [in]: a-operand, n-operand, Pass/Fail
Sqrt a multi-precision operand (a) a/n length
modulo a prime modulus (n). [out]: a-sqrt-result
Probab Mod General probabilistic [in]: a-operand, n-operand, Pass/Fail
Sqrt algorithm to compute the a/n length
square root modulo a prime [out]: a-sqrt-result
number.
Sqrt v2 algorithm to compute the a/n length
number.
number.
number.
Jacobi Symbol Computes the Jacobi symbol [in]: a-operand, n-operand, 1 if a in
for an integer a and an odd a/n length QR(n), else -
modulus n [out]: VOID 1/0
Destruct Destructs the FFC object. [in]: VOID VOID
[out]: VOID
KAS Construct Constructs a KAS ECC object. [in]: KAS type, initiator id, KAS ECC
ECC responder id, algorithm id, object
MAC key length, MAC tag
length
[out]: VOID
Type Select Changes the KAS type. [in]: KAS type, initiator id, Pass/Fail
responder id, algorithm id,
MAC key length, MAC tag
length
Page 22 of 44


User Role
[out]: VOID
ECDH Init 1 Computes Phase 1 of Full [in]: Initiator ephemeral Pass/Fail
Unified Model on initiator private key
side. [out]: Initiator ephemeral
public key
ECDH Resp 1 Computes Phase 1 of Full [in]: Responder static private Pass/Fail
Unified Model on responder key, Responder static public
side. key, Responder ephemeral
private key, Initiator static
public key, Initiator ephemeral
public key, Nonce
[out]: Responder ephemeral
public key, MAC key, AES
initiator/responder keys,
Responder MAC tag
ECDH Init 2 Computes Phase 2 of Full [in]: Initiator static private key, Pass/Fail
Unified Model on initiator Initiator static public key,
side. Initiator ephemeral private
key, Initiator ephemeral public
key, Nonce, Responder static
public key, Responder
ephemeral public key,
Responder MAC tag,
[out]: AES initiator/responder
keys, Initiator MAC tag
ECDH Resp 2 Computes Phase 2 of Full [in]: Responder ephemeral Pass/Fail
Unified Model on responder public key, MAC key, Initiator
side. ephemeral public key, Initiator
MAC tag
[out]: VOID
MQV Computes the full form of the [in]: Initiator static private key, Pass/Fail
Primitive ECC MQV primitive. Initiator ephemeral private
key, Responder static public
key, Responder ephemeral
public key
[out]: Shared secret
MQV Init 1 Computes Phase 1 of Full [in]: Initiator ephemeral Pass/Fail
MQV Model on initiator side. private key
[out]: Initiator ephemeral
public key
MQV Resp 1 Computes Phase 1 of Full [in]: Responder static private Pass/Fail
MQV Model on responder key, Responder static public
side. key, Responder ephemeral
private key, Initiator static
Page 23 of 44


User Role
public key, Initiator ephemeral
public key, Nonce
[out]: Responder ephemeral
public key, MAC key, AES
initiator/responder keys,
Responder MAC tag
MQV Init 2 Computes Phase 2 of Full [in]: Initiator static private key, Pass/Fail
MQV Model on initiator side. Initiator static public key,
Initiator ephemeral private
key, Nonce, Responder static
public key, Responder
ephemeral public key,
Responder MAC tag,
[out]: AES initiator/responder
keys, Initiator MAC tag
MQV Resp 2 Computes Phase 2 of Full [in]: Responder ephemeral Pass/Fail
MQV Model on responder public key, MAC key, Initiator
side. ephemeral public key, Initiator
MAC tag
[out]: VOID
Destruct Destructs the KAS ECC object. [in]: VOID VOID
[out]: VOID
SHA Construct Constructs a SHA object. [in]: SHA type SHA object
[out]: VOID
Type Select Changes the SHA type. [in]: SHA type Pass/Fail
[out]: VOID
Proc Message Generates a message digest. [in]: Message, Message length VOID
[out]: Digest
Proc Message Generates a message digest. [in]: SHA type, Message, VOID
Message length
[out]: Digest
Proc Init Initializes first message digest [in]: Message, Message length VOID
segment. [out]: VOID
Proc Init Initializes first message digest [in]: SHA type, Message, VOID
segment. Message length
[out]: VOID
Proc Update Updates middle segment [in]: Message, Message length VOID
message digest segment. [out]: VOID
Proc Final Generates final message [in]: Message, Message length VOID
digest. [out]: Digest
160 Proc Generates a message digest. [in]: Message, Message VOID
Message length, SHA mode
[out]: Digest
HMAC Proc Generates a Keyed-Hash [in]: Message, Message VOID
Page 24 of 44


User Role
Message Message Authentication length, key, key length
Code (HMAC) digest. [out]: Digest
HMAC Proc Generates a HMAC tag. [in]: Message, Message VOID
Message length, key, key length
[out]: MAC tag, MAC tag
length
HMAC Proc Initializes first HMAC [in]: Message, Message VOID
Init message digest segment. length, key, key length
[out]: VOID
HMAC Proc Updates middle HMAC [in]: Message, Message length VOID
Update segment message digest [out]: VOID
segment.
HMAC Proc Generates final HMAC [in]: Message, Message length VOID
Final message digest. [out]: Digest
HMAC Proc Generates final HMAC [in]: Message, Message length VOID
Final message digest. [out]: MAC tag, MAC tag
length
KDF Generates a derived key. [in]: Label/IV, Label length, VOID
CTR/FB/DPI Context, Context length,
Counter length, Counter
location
[out]: Derived key, Derived
key length
PBKDF Generates a derived key from [in]: Password, Password VOID
password and salt. length, Salt, Salt length,
iteration count
[inout]: Derived key length
[out]: Derived key
Destruct Zeroizes SHA buffers. [in]: VOID VOID
[out]: VOID
Util’s Zeroize Zeroizes fixed-size buffers. [inout]: Buffer VOID
Obfuscate Zeroized fixed-size buffer [inout]: Buffer VOID
with random data from
DRBG.
Word Str Clr Zeroizes buffer. [in]: Buffer length VOID
[inout]: Buffer
Word Str Cpy Copies buffer. [in]: Input Buffer, Buffer VOID
length
[out]: Copied buffer
Word Str Diff Differences buffers. [in]: Buffer a, Buffer b, a/b Non-zero
length value
[out]: VOID indicates
difference
Word Str Cmp Compares buffers. [in]: Buffer a, Buffer b, a/b Pass/Fail
length
Page 25 of 44


User Role
[out]: VOID
Word Str Cmp Compares buffer to zero. [in]: Buffer, Buffer length Pass/Fail
v0 [out]: VOID
Word Str Cmp Compares buffer to zero. [in]: Buffer, Buffer length Pass/Fail
v1 [out]: VOID
My Mem Cmp Compares byte buffer to [in]: Buffer, Buffer length, byte Pass/Fail
K byte. value
[out]: VOID
CleanUp Zeroizes word buffer and [in]: Buffer length VOID
verifies zeroed. [inout]: Buffer
CleanUp Zeroizes byte buffer and [in]: Buffer length VOID
verifies zeroed. [inout]: Buffer
Words 2 Bytes Converts word buffer to byte [in]: Word buffer, Word buffer VOID
buffer. length
[out]: byte buffer
Bytes 2 Words Converts byte buffer to word [in]: Byte buffer, Word buffer VOID
buffer. length
[out]: Word buffer
DWords 2 Converts double word buffer [in]: DWord buffer, DWord VOID
Bytes to byte buffer. buffer length
[out]: byte buffer
Bytes 2 Converts byte buffer to [in]: Byte buffer, DWord VOID
DWords double word buffer. buffer length
[out]: DWord buffer
Quick Generates pseudo-random [in]: Buffer length Pass/Fail
Random Bytes bytes from DRBG. [out]: Buffer
Stristr Case-insensitive substring [in]: Buffer, search string Substring
search [out]: VOID
My Memi Case-insensitive byte buffer [in]: Buffer a, Buffer b, a/b Non-zero
Cmp comparison length value
[out]: VOID indicates
difference
Scan Hex Data Decodes a byte string buffer [in]: String buffer Length of
into a byte buffer. [out]: Byte buffer byte buffer
Scan Hex Data Decodes a byte string buffer [in]: String buffer Length of
into a word buffer. [out]: Word buffer word buffer
Scan Hex Decodes a byte string buffer [in]: String buffer VOID
Align Right into a word buffer with right [inout]: Word buffer length
alignment. [out]: Word buffer
Read Dec Reads decimal parameter [in]: Input file stream, Offset Decimal
Param from input file stream. header parameter
[out]: VOID
Scan Hex Data Decodes a byte string from [in]: Input file stream, Bit VOID
an input stream into a word length, Offset header
buffer. [out]: Word buffer
Page 26 of 44


User Role
Scan Hex Data Decodes a byte string from [in]: Input file stream, Bit VOID
an input stream into a byte length, Offset header
buffer. [out]: Byte buffer
Scan Hex Data Decodes a byte string from [in]: Input file stream, Offset Length of
an input stream into a word header word buffer
buffer. [out]: Word buffer
Scan Hex Decodes a byte string from [in]: Input file stream, Word Pass/Fail
Align Right an input stream into a word buffer length, Offset header
buffer with right alignment. [out]: Word buffer
Write Hex Encodes word buffer into [in]: String buffer, Word buffer VOID
Data string buffer. length
[out]: Word buffer
Write Hex Encodes byte buffer into [in]: String buffer, Byte buffer VOID
Data string buffer. length
[out]: Byte buffer
Write Hex Writes word buffer into [in]: Output file stream, Word VOID
Data output stream as a string. buffer length, Offset header,
Skip zeros
[out]: Word buffer
Write Hex Writes byte buffer into [in]: Output file stream, Byte VOID
Data output stream as a string. buffer length, Offset header
[out]: Byte buffer
Table 6 – Module Services for User Role
2.3.3. Authentication
The Module does not support operator authentication. Roles are selected implicitly based on the
service performed by the operator.

Role Type of Authentication Authentication Data
Cryptographic Officer N/A N/A
User N/A N/A
Table 7 – Module Authentication
2.4. Finite State Model

The Finite State Model (FSM) describes the overall behavior and transitions the Module undergoes
based upon its current state and commands received. The FSM was reviewed as part of the overall FIPS
140-2 validation.
2.5. Physical Security

The Module is implemented entirely in software, thus it is not subject to the FIPS 140-2 Physical Security
requirements. The operational environment that executes the Module should be located on
production-grade equipment and is expected to be secured by best practices.
Page 27 of 44


2.6. Operational Environment
The Module runs in a single-user FIPS 140-2 certified operational environment where each calling
application runs in a virtually separated, independent space and is compatible with the DRBG on which it
runs based upon configuration. The Module is implemented entirely in software, and for FIPS 140-2
purposes, is classified as multi-chip standalone per the operational environment on which it runs.
CMVP CAVP DRBG

Module Operational Environment
Certificate Certificate
Intel Xeon E5530 w/
KEYWcryptoModule.dll #2357 #489, #523
Microsoft Windows Server 2012 R2 (64-bit)
Qualcomm Snapdragon 801 w/
libKEYWcryptoModule.so.3 #1578 #81
BlackBerry OS 10.3
Qualcomm Snapdragon S4 w/
libKEYWcryptoModule.so.3 #1578 #81
BlackBerry OS 10.3
Table 8 – Operational Environments
2.7. Cryptographic Key Management

The following table describes the cryptographic keys, key components and Critical Security Parameters
(CSPs) utilized exclusively by the Module.

Mode / Access
Key / CSP Use Input / Output Storage Destruction
Key/CSP Size Type
HMAC SHA-512 Symmetric key Crypto Symmetric key Held in RAM Zeroized
Integrity used for Officer generated during as plaintext immediately
Check Key Software Role: each Module temporarily after Module
Integrity Read & initialization as for single-use initialization
Checksum. Write input where a and is not via zeroize
new symmetric stored during service from
key is generated Module Module API.
after each build. initialization.
See Section 2.9
for more details
on Software
Integrity POST.
HMAC SHA-512 Checksum CSP Crypto Checksum CSP Held in RAM Zeroized
Integrity used in Officer entered as input as plaintext immediately
Checksum Software Role: during each temporarily after Module
CSP Integrity Read & Module for single-use initialization
Checksum. Write initialization and is not via zeroize
where a new stored during service from
Checksum CSP is Module Module API.
generated after initialization.
each build.
AES-ECB Key ECB-128 Symmetric key User Symmetric key Held in RAM Calling
ECB-192 used for Role: entered, as plaintext. application is
Page 28 of 44


Mode / Access
Key/CSP Size Type
ECB-256 encryption and Read & established, or responsible
decryption of Write generated by for zeroizing
user data. operational symmetric key
environment via zeroize
DRBG as input. service from
Module API or
via platform-
provided API.
AES-CBC Key CBC-128 Symmetric key User Symmetric key Held in RAM Calling
CBC-192 used for Role: entered, as plaintext. application is
CBC-256 encryption and Read & established, or responsible
user data. operational symmetric key
DRBG as input service from
and plaintext or Module API or
ciphertext as via platform-
output. provided API.
AES-CBC IV CBC-128 IV CSP used in User IV CSP entered, Held in RAM Calling
CSP CBC-192 encryption and Role: established, or as plaintext. application is
CBC-256 decryption of Read & generated by responsible
user data. Write operational for zeroizing
environment IV CSP via
DRBG as input zeroize service
and plaintext or from Module
ciphertext as API or via
output. platform-
provided API.
AES-GCM GCM-128 Symmetric key User Symmetric key Held in RAM Calling
Key GCM-192 used for Role: entered, as plaintext. application is
GCM-256 encryption and Read & established, or responsible
traffic data. operational symmetric key
ciphertext with via platform-
Tag as output. provided API.
AES-GCM IV GCM-128 IV CSP used in User IV CSP entered, Held in RAM Calling
CSP GCM-192 encryption and Role: established, or as plaintext. application is
GCM-256 decryption of Read & generated by responsible
traffic data. Write operational for zeroizing
Page 29 of 44


Mode / Access
Key/CSP Size Type
ciphertext with API or via
Tag as output. platform-
provided API.
AES-XTS XTS-128 Symmetric keys User Symmetric keys Held in RAM Calling
Keys XTS-256 used for Role: entered, as plaintext. application is
encryption and Read & established, or responsible
stored data. operational symmetric
environment keys via
output. platform-
provided API.
AES-XTS XTS-128 Tweak value User Tweak value CSP Held in RAM Calling
Tweak Value XTS-256 CSP used in Role: entered, as plaintext. application is
CSP encryption and Read & established, or responsible
stored data. operational Tweak value
environment CSP via
output. platform-
provided API.
AES- KW-128 Symmetric key User Symmetric key Held in RAM Calling
KW/KWP KW-192 used for Role: entered, as plaintext. application is
Key KW-256 encryption and Read & established, or responsible
KWP-128 decryption of Write generated by for zeroizing
KWP-192 other keys. operational symmetric key
KWP-256 environment via zeroize
ciphertext as via platform-
output. provided API.
CMAC Key AES-128 Symmetric key User Symmetric key Held in RAM Calling
AES-192 used for Role: entered, as plaintext. application is
AES-256 message Read & established, or responsible
authentication. Write generated by for zeroizing
operational symmetric key
and MAC as Module API or
output. via platform-
provided API.
Page 30 of 44


Mode / Access
Key/CSP Size Type
GMAC Key AES-128 Symmetric key User Symmetric key Held in RAM Calling
AES-192 used for Role: entered, as plaintext. application is
AES-256 message Read & established, or responsible
authentication. Write generated by for zeroizing
operational symmetric key
provided API.
GMAC IV AES-128 IV CSP used for User IV CSP entered, Held in RAM Calling
CSP AES-192 message Role: established, or as plaintext. application is
AES-256 authentication. Read & generated by responsible
Write operational for zeroizing
and MAC as from Module
output. API or via
platform-
provided API.
HMAC Key SHA-1 (SHA-160) Symmetric key User Symmetric key Held in RAM Calling
SHA-224 used for Role: entered, as plaintext. application is
SHA-256 message Read & established, or responsible
SHA-384 authentication. Write generated by for zeroizing
SHA-512 operational symmetric key
SHA-512/224 environment via zeroize
SHA-512/256 DRBG as input service from
provided API.
ECDSA Key P-192 SHA-1 Asymmetric User Asymmetric key Held in RAM Calling
(SHA-160) key used for Role: entered or as plaintext. application is
SHA-224 digital Read & generated by responsible
SHA-256 signature. Write operational for zeroizing
SHA-384 environment asymmetric
SHA-512 Per NIST SP DRBG as input key via zeroize
800-131A, P- and digital service from
SHA-512/224
192 and SHA-1 signature scalars Module API or
SHA-512/256
are no longer computed as via platform-
P-224 SHA-1
considered output. provided API.
(SHA-160)
secure and
SHA-224 shall not be
SHA-256 used to
SHA-384 generate digital
SHA-512
Page 31 of 44


Mode / Access
Key/CSP Size Type
SHA-512/224 signatures
SHA-512/256 (Ref. [14]).
P-256 SHA-1
(SHA-160)
SHA-224
SHA-256
SHA-384
SHA-512
SHA-512/224
SHA-512/256
P-384 SHA-1
(SHA-160)
SHA-224
SHA-256
SHA-384
SHA-512
SHA-512/224
SHA-512/256
P-521 SHA-1
(SHA-160)
SHA-224
SHA-256
SHA-384
SHA-512
SHA-512/224
SHA-512/256
ECC KAS FullUnified KC EB Asymmetric User Asymmetric keys Held in RAM Calling
Keys P-224, SHA-224 keys and MAC Role: and MAC keys as plaintext. application is
FullUnified KC EC keys used for Read & entered or responsible
P-256, SHA-256 key Write generated by for zeroizing
FullUnified KC ED establishment. operational asymmetric/sy
P-384, SHA-384 environment mmetric keys
FullUnified KC EE DRBG as input via zeroize
P-521, SHA-512 and symmetric service from
FullMQV KC EB keys derived as Module API or
P-224, SHA-224 output. via platform-
FullMQV KC EC provided API.
P-256, SHA-256
FullMQV KC ED
P-384, SHA-384
FullMQV KC EE
P-521, SHA-512
Page 32 of 44


Mode / Access
Key/CSP Size Type
ECC KAS FullUnified KC EB Nonce and User Nonce and MAC Held in RAM Calling
Nonce & P-224, SHA-224 MAC tag CSPs Role: tag CSPs entered as plaintext. application is
MAC tag FullUnified KC EC used in key Read & or generated by responsible
CSPs P-256, SHA-256 establishment. Write operational for zeroizing
FullUnified KC ED environment Nonce and
P-384, SHA-384 DRBG as input MAC tag CSPs
FullUnified KC EE and symmetric via zeroize
P-521, SHA-512 keys derived as service from
FullMQV KC EB output. Module API or
P-224, SHA-224 via platform-
FullMQV KC EC provided API.
P-256, SHA-256
FullMQV KC ED
P-384, SHA-384
FullMQV KC EE
P-521, SHA-512
ECC KAS FullUnified KC EB Shared Secret User Shared Secret Held in RAM Zeroized
Shared P-224, SHA-224 and DKM CSPs Role: and DKM CSPs as plaintext immediately
Secret & FullUnified KC EC derived during N/A derived as output temporarily between KAS
DKM CSPs P-256, SHA-256 key between KAS for single-use phases via
FullUnified KC ED establishment. phases. and is not zeroize service
P-384, SHA-384 stored from Module
FullUnified KC EE between KAS API.
P-521, SHA-512 phases.
FullMQV KC EB
P-224, SHA-224
FullMQV KC EC
P-256, SHA-256
FullMQV KC ED
P-384, SHA-384
FullMQV KC EE
P-521, SHA-512
ECC CDH P-224 Asymmetric User Asymmetric keys, Held in RAM Calling
Primitive P-256 keys used for Role: entered or as plaintext. application is
Keys P-384 shared secret Read & generated by responsible
P-521 CSP Write operational for zeroizing
establishment. environment asymmetric
DRBG as input keys via
and shared zeroize service
secret CSP from Module
derived as API or via
output. platform-
provided API.
ECC CDH P-224 Shared secret User Shared secret Held in RAM Calling
Primitive P-256 CSPs derived Role: CSP derived as as plaintext. application is
Page 33 of 44


Mode / Access
Key/CSP Size Type
Shared P-384 from Read & output when responsible
Secret CSPs P-521 establishment. Write asymmetric keys for zeroizing
entered or shared secret
generated by CSPs via
operational zeroize service
environment from Module
DRBG as input. API or via
platform-
provided API.
KBKDF- CMAC-AES-128 Symmetric key User Symmetric key Held in RAM Calling
CMAC-CTR CMAC-AES-192 used for key Role: entered, as plaintext. application is
Keys CMAC-AES-256 derivation. Read & established, or responsible
Write generated by for zeroizing
operational symmetric
and symmetric from Module
key derived as API or via
output. platform-
provided API.
CMAC-FB CMAC-AES-192 used for key Role: entered, as plaintext. application is
output. platform-
provided API.
KBKDF- CMAC-AES-128 IV CSP used in User IV CSP entered, Held in RAM Calling
CMAC-FB IV CMAC-AES-192 key derivation. Role: established, or as plaintext. application is
CSP CMAC-AES-256 Read & generated by responsible
Write operational for zeroizing
output. platform-
provided API.
CMAC-DPI CMAC-AES-192 used for key Role: entered, as plaintext. application is
Page 34 of 44


Mode / Access
Key/CSP Size Type
output. platform-
provided API.
KBKDF- HMAC-SHA-1 Symmetric key User Symmetric key Held in RAM Calling
HMAC-CTR (SHA-160) used for key Role: entered, as plaintext. application is
Keys HMAC-SHA-224 derivation. Read & established, or responsible
HMAC-SHA-256 Write generated by for zeroizing
HMAC-SHA-384 operational symmetric
HMAC-SHA-512 environment keys via
output. platform-
provided API.
HMAC-FB (SHA-160) used for key Role: entered, as plaintext. application is
output. platform-
provided API.
KBKDF- HMAC-SHA-1 IV CSP used in User IV CSP entered, Held in RAM Calling
HMAC-FB IV (SHA-160) key derivation. Role: established, or as plaintext. application is
CSP HMAC-SHA-224 Read & generated by responsible
HMAC-SHA-256 Write operational for zeroizing
HMAC-SHA-384 environment IV CSP via
HMAC-SHA-512 DRBG as input zeroize service
output. platform-
provided API.
HMAC-DPI (SHA-160) used for key Role: entered, as plaintext. application is
Page 35 of 44


Mode / Access
Key/CSP Size Type
output. platform-
provided API.
PBKDF HMAC-SHA-1 Password CSP User Password CSP Held in RAM Calling
Password (SHA-160) used in Role: entered by as plaintext. application is
CSP HMAC-SHA-224 password- Read & calling responsible
HMAC-SHA-256 based key Write application as for zeroizing
HMAC-SHA-384 derivation. input and Password CSP
HMAC-SHA-512 symmetric key via zeroize
derived as service from
output. Module API or
via platform-
provided API.
PBKDF Key HMAC-SHA-1 Symmetric key User Symmetric key Held in RAM Calling
(SHA-160) derived from Role: derived as output as plaintext. application is
HMAC-SHA-224 password- Read & when Password responsible
HMAC-SHA-256 based key Write CSP entered by for zeroizing
HMAC-SHA-384 derivation. calling symmetric key
HMAC-SHA-512 application as via zeroize
input. service from
Module API or
via platform-
provided API.
Table 9 – Module Cryptographic Keys and Critical Security Parameters
2.7.1. Key Zeroization

The Module API leverages fixed-size buffer zeroization via memset and pseudorandom buffer filling. The
Cryptographic Officer operator may request HMAC Integrity Check Key zeroization at any time by
power-cycling the operational environment and reloading the Module. Also, the Cryptographic Officer
operator may manually uninstall the Module from the operational environment and reformat (i.e.
overwrite at least once) the platform’s hard drive or other permanent storage media while only
performing the procedural uninstallation of the Module is not an acceptable key zeroization method.
The User operator must zeroize keys/CSPs stored in the operational environment by calling a zeroize
service provided by the Module API or via platform-provided API.
2.8. Electromagnetic Interference and Compatibility

The Module meets the requirements of the FIPS 140-2 EMI/EMC Level 1 specification as the operational
environment on which the Module software runs passed validation executing upon the general-purpose
computer (GPC) that confirms to the EMI/EMC requirements specific by 47 Code of Federal Regulations,
Part 15, Subpart B, Unintentional Radiators, Digital Devices, Class A (i.e., for business use).
Page 36 of 44


2.9. Self-Tests
The Module implements Power-On Self-Tests (POST) and conditional self-tests that are described in the
following tables:
Test Description
Software Integrity The Module validates its own software integrity upon load of the
Module DLL/SO file. The integrity check is a two-step process
consisting of an HMAC verification (based on the FIPS-approved
HMAC-512 algorithm), applied to the whole Module DLL/SO image
processed as a binary data file.
In the first step, the 512-bit (64-byte) HMAC key for the HMAC
verification is derived via a FIPS-approved KBKDF from several build-
specific data fields including the current version string and build date,
which are compiled into the Module and are not modifiable. This
HMAC key customization is aimed at preventing malicious Module
DLL/SO rebuilds and authenticating the original build only.
In the second step, the 512-bit HMAC key is used to perform an HMAC-
512 integrity check of the whole Module DLL/SO image. This
computation produces a 512-bit checksum that is compared against a
hexadecimal value pre-stored in a properties file.
AES Check Verifies the integrity of the pre-built Sbox substitution table and
Encryption/Decryption inverse Sbox substitution table. The Sbox substitution table is pre-
Tables converted to four 32-bit tables, in order to speed up AES encryption in
32-bit processing mode while the inverse Sbox substitution table is
pre-converted to four 32-bit tables, in order to speed up AES
decryption in 32-bit processing mode.
GCM Encrypt/Decrypt Exercises a set of Known Answer Tests (KATs) extracted from the GCM
KAT test vectors published by NIST in the GCMVS specification (Reference
[18]) on all three GCM encryption modes corresponding to AES key
sizes of 128, 192 and 256 bits featuring the largest combinations of PT,
IV and AAD.
The comprehensive GCM KATs implicitly provide assurance about the
validity of the underlying AES cryptographic algorithms.
SHA KAT Exercises a set of Known Answer Tests (KATs) extracted from the SHA
test vectors published by NIST in the SHAVS specification (Reference
[21]) on all SHA versions (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512,
SHA-512/224 and SHA-512/256) specified in FIPS Publication 180-4
featuring mixed hash/digest size combinations with the longest input
data.
The comprehensive SHA KATs implicitly provide assurance about the
validity of the Key Derivation Function (KDF) employed by the ECDH
Key Agreement Scheme (as recommended in NIST SP 800-56A –
Reference [15], a SHA-based concatenation KDF is being used).
Page 37 of 44


Test Description
HMAC KAT Exercises a set of Known Answer Tests (KATs) extracted from the
HMAC test vectors published by NIST in the HMACVS specification
(Reference [22]) featuring the largest combinations of key and tag sizes
covering all versions of the underlying hashing algorithm (SHA-1, SHA-
224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256).
The comprehensive HMAC KATs implicitly provide assurance about the
validity of the Bilateral Key Confirmation method employed by the
ECDH Key Agreement Scheme (Reference [15], Section 8.4).
ECDSA KeyPair/PKV Exercises a set of Known Answer Tests (KATs) adapted from the ECDSA
KAT KeyPair (private/public key verification) and PKV (Public Key Validation)
test vectors published by NIST in the ECDSA2VS specification
(Reference [24]) covering each version of the underlying prime-field EC
(P-192, P-224, P-256, P-384 and P-521).
The ECDSA KeyPair tests include multiple KAT verifications of ECC point
multiplication, which is the ECC primitive used for shared-secret (“Z”)
computation by the ECDH Key Agreement Scheme.
ECDSA SigGen KAT Exercises a set of Known Answer Tests (KATs) adapted from the SigGen
(Reference [24]). In this test category, ECDSA2VS only provides the
message to be signed. The module generates a private key, computes
the corresponding public key, generates an ECDSA “secret number”
(ephemeral key) from the DRBG, computes the message signature
using the private key and verifies the signature with the public key.
For completeness, the signature is verified with the private key as well.
One long test vector is exercised for each combination of prime field
EC (P-224, P-256, P-384 and P-521) and hashing algorithm (SHA-224,
SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256). In the
latest NIST Suite B specifications P-192 EC and SHA-1 are no longer
considered suitable for secure ECDSA generation (Reference [14]).
ECDSA SigVer KAT Exercises a set of Known Answer Tests (KATs) adapted from the SigVer
(Reference [24]). These test cases are in compliance with the latest
ECDSA specification (FIPS 186-4, Reference [12]), which allows any
prime-field EC (P-192, P-224, P-256, P-384 or P-521) to be combined
with each SHA version from FIPS 180-4 (SHA-1, SHA-224, SHA-256,
SHA-384, SHA-512, SHA-512/224 or SHA-512/256) in an ECDSA
computation. One test case from each EC/SHA combination, featuring
the longest message, is exercised.
Page 38 of 44


Test Description
ECDH Full Unified Key Exercises a set of Known Answer Tests (KATs) adapted from the ECDH
Agreement Scheme test vectors published by NIST in the KASVS specification (Reference
(KAS) KAT [25]) featuring the Full Unified Model of ECDH covering each version of
the underlying prime-field EC (P-224, P-256, P-384 and P-521). Each
test run includes both Initiator-side and Responder-side functions.
The underlying cryptographic algorithms used during ECDH key
agreement are fully validated via individual POSTs:
• ECC point multiplication is validated via ECDSA KeyPair KATs
• The Key Derivation Function is validated via SHA KATs
• The Key Confirmation function is validated via HMAC KATs
ECDH Full MQV Key Exercises a set of Known Answer Tests (KATs) adapted from the ECDH
Agreement Scheme test vectors published by NIST in the KASVS specification (Reference
(KAS) KAT [25]) featuring the Full MQV model of ECDH covering each version of
the underlying prime-field EC (P-224, P-256, P-384 and P-521). Each
test run includes both Initiator-side and Responder-side functions.
The underlying cryptographic algorithms used during ECDH key
agreement are fully validated via individual POSTs:
• ECC point multiplication is validated via ECDSA KeyPair KATs
• The Key Derivation Function is validated via SHA KATs
• The Key Confirmation function is validated via HMAC KATs
XTS Encrypt/Decrypt Exercises a set of Known Answer Tests (KATs) extracted from the XTS
KAT test vectors published by NIST in the XTSVS specification (Reference
[19]). Both formats specified for the tweak value input (128-bit
hexadecimal string or 64-bit Data Unit Sequence Number) are being
tested with various, non-trivial Data Unit bit sizes in encrypt and
decrypt mode.
The comprehensive XTS KATs implicitly provide assurance about the
validity of the underlying AES cryptographic algorithms.
KW/KWP Exercises a set of Known Answer Tests (KATs) extracted from KW and
Encrypt/Decrypt KAT KWP test vectors published by NIST with the Key Wrap Validation
System (KWVS) specification (Reference [20]). All three encryption
modes are tested for KW and KWP, corresponding to AES key sizes of
128, 192 and 256 bits. Also, the underlying AES block cipher is tested
in either forward direction or inverse direction during KW/KWP
encryption. Two non-trivial test vectors are exercised for each
combination of AES key size, KW/KWP and forward/inverse block
cipher.
The comprehensive KW/KWP KATs implicitly provide assurance about
the validity of the underlying AES cryptographic algorithms.
Page 39 of 44


Test Description
KBKDF KAT Exercises a set of Known Answer Tests (KATs) extracted from KDF test
vectors published by NIST with the Key Derivation using
Pseudorandom Functions (SP800-108) Validation System (KBKDFVS)
(Reference [23]). Both CMAC and HMAC algorithms are exercised as
underlying pseudo-random function (PRF). For each PRF, SP800-108
specifies three modes of key derivation from a set of inputs: Counter
Mode (CTR), FeedBack Mode (FB) and Double-Pipeline Iteration Mode
(DPI), which are all represented during a KDF self-test run. At least one
non-trivial test case has been included for each input parameter
combination specified in KBKDFVS, adding up to 12 KDF CTR tests, 32
KDF FB tests and 16 KDF DPI tests.
PBKDF KAT The comprehensive HMAC KATs implicitly provide assurance about the
validity of the Password-Based Key Derivation Function (PBKDF) as
recommended in IAW NIST SP 800-132 (Reference [11]). There is
neither a Validation System in place, nor sample test vectors published
by CAVP for the PBKDF algorithm, as of January 2017.

Table 10 – Module Power-On Self-Tests
Test Description
ECC KAS (FullUnified, The ECC KAS implementation provides built-in assurance (verification)
FullMQV) Conditional of the arithmetic validity of each newly generated key pair by
Pair-Wise Consistency performing a pair-wise consistency self-test where the key pair is used
Self-Test in conjunction with a second newly generated compatible key pair to
calculate shared values for both sides of the key agreement algorithm
such that if the resulting shared values are not equal the self-test fails.
Every invocation of ECC KAS involves (within the class constructors) a
verification of the arithmetic validity of the selected set of ECC domain
parameters (Reference [15], Section 5.5.2).
The ECC KAS implementation performs a full ECC public key validation
each time such a key is being used where each side verifies both own
and opposite static public keys, each side verifies opposite side’s
ephemeral public key (Reference [15], Section 5.6.2).
Also, during key agreement, each side renews its assurance of
possessing the correct private key by using the Key Regeneration
method (Reference [15], Section 5.6.3), while the ephemeral
(generated) private key is subjected to the constraints specified in
Reference [15], Section 5.6.1.2.
Page 40 of 44


Test Description
ECDSA Conditional The ECDSA implementation provides built-in assurance (verification) of
Pair-Wise Consistency the arithmetic validity of each newly generated key pair by performing
Self-Test a pair-wise consistency self-test where the key pair is used to generate
and verify a digital signature such that if the digital signature cannot be
verified the self-test fails.
Every invocation of ECDSA involves (within the class constructors) a
verification of the arithmetic validity of the selected set of ECC domain
parameters.
The ECDSA implementation performs an ECC public key validation each
time such a key is used during digital signature generation and
verification.
Table 11 – Module Conditional Self-Tests
2.9.1. Invoking Self-Tests

The Cryptographic Officer operator invokes the POST automatically by loading the Module. During load
the operational environment executes the following Module Default Entry Point (DEP) automatically,
which invokes the self-tests. The Module does not rely on any other external service to initiate the POST
and all data output via the data output interface is inhibited when the POST is performed. The POST
may be invoked automatically at any time by power-cycling the operational environment and reloading
the Module.
Dynamic Link Library (DLL) Default Entry Point

BOOL APIENTRY DLLMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved)
Shared Object (SO) Default Entry Point

void __attribute__((constructor)) runModulePOST(void)
2.9.2. Self-Tests Results

Upon successful self-test completion, the Module will complete its initialization and transition to the idle
operational state. Subsequent Module self-tests are exercised automatically when any Suite B
cryptographic algorithms are called by the operator, either for communications encryption/decryption,
data encryption/decryption, and/or during key establishment. In the event the Software Integrity
and/or KAT self-test fail, the Module will not complete loading and will transition to the error state and
a specific error code will be returned indicating which self-test has failed. The Module will not provide
any cryptographic services while in this error state. Recovery from the error state is possible by power-
cycling the operational environment and reloading the Module.
Self-Test Error Code

Software Integrity 441, 444
GCM Encrypt 2100 + Test Count
GCM Decrypt 2200 + Test Count
SHA 2300 + Test Count
HMAC 2400 + Test Count
Page 41 of 44


Self-Test Error Code
ECDSA Key 2800 + Test Count
ECDSA SigGen 3300 + Test Count
ECDSA SigVer 3400 + Test Count
KAS Full Unified 2500 + Test Count (combined indicator
of the EC type and failing sub-test)
KAS Full MQV 3000 + Test Count
XTS Encrypt 2600 + Test Count
XTS Decrypt 2700 + Test Count
KW Encrypt 3100 + Test Count
KW Decrypt 3200 + Test Count
KBKDF 3500 + Test Count
Table 12 – Module Self-Test Error Codes
2.10. Design Assurance

The Module meets the requirements of the FIPS 140-2 Security Level 1 specification and provides the
following Cryptographic Officer guidance and User guidance.

The Cryptographic Officer is responsible for manually installing the Module on the operational
environment and ensuring FIPS mode of operation as described in Section 2.1.2. Also, the Cryptographic
Officer is responsible for initializing the Module causing the POST to run automatically as described in
Section 2.9.

The User operator is responsible for confining method calls to only FIPS 140-2 approved security
functions as listed in Table 2 when calling the Module API as well as confining method calls to a FIPS
140-2 approved DRBG from the operational environment as listed in Section 2.6.
2.11. Mitigation of Other Attacks

The Module has not been designed to mitigate any specific attacks outside the scope of the FIPS 140-2
requirements. The Module resides within a FIPS 140-2 operational environment, which provides an
additional layer of protection to attacks of the Module.
Page 42 of 44


3. Referenced Documents
[1] FIPS Publication 197, The Advanced Encryption Standard (AES), U.S. DoC/NIST, November 26, 2001,
National Institute of Standards and Technology, [Web page],
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
[2] NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation: Methods
and Techniques, December 2001, [Web page],
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
[3] NIST Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: The
CMAC Mode for Authentication, May 2005, National Institute of Standards and Technology, [Web
page], http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
[4] NIST Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation:
Galois/Counter Mode (GCM) and GMAC, November 2007, National Institute of Standards and
Technology, [Web page], http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
[5] NIST Special Publication 800-38E, Recommendation for Block Cipher Modes of Operation: the XTS-
AES Mode for Confidentiality on Storage Devices, January 2010, National Institute of Standards and
Technology, [Web page], http://csrc.nist.gov/publications/nistpubs/800-38E/nist-sp-800-38E.pdf
[6] NIST Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods
of Key Wrapping, December 2012, National Institute of Standards and Technology, [Web page],
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
[7] RFC 5649, Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm, August 2009,
Network Working Group, [Web page], https://tools.ietf.org/html/rfc5649
[8] FIPS Publication 180-4, Secure Hash Standard (SHS), August 2015, National Institute of Standards
and Technology, [Web page], http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
[9] FIPS Publication 198-1, The Keyed-Hash Message Authentication Code (HMAC), July 2008, National
Institute of Standards and Technology, [Web page],
http://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf
[10] NIST Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom
Functions, October 2009, National Institute of Standards and Technology, [Web page],
http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf
[11] NIST Special Publication 800-132, Recommendation for Password-Based Key Derivation, December
2010, National Institute of Standards and Technology, [Web page],
http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
[12] FIPS Publication 186-4, Digital Signature Standard (DSS), July 2013, National Institute of Standards
and Technology, [Web page], http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
[13] ANS X9.62-2005: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve
Digital Signature Algorithm (ECDSA), November 2005
[14] NIST Special Publication 800-131A, Transitions: Recommendation for Transitioning the Use of
Cryptographic Algorithms and Key Lengths, January 2011, National Institute of Standards and
Technology, [Web page], http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
[15] NIST Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using
Discrete Logarithm Cryptography, Revision 2, May 2013, National Institute of Standards and
Technology, [Web page],
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar2.pdf
[16] The Advanced Encryption Standard Algorithm Validation Suite (AESAVS), November 15, 2002,
http://csrc.nist.gov/groups/STM/cavp/documents/aes/AESAVS.pdf
Page 43 of 44


[17] The CMAC Validation System (CMACVS), Updated August 23, 2011, National Institute of Standards
and Technology, [Web page], http://csrc.nist.gov/groups/STM/cavp/documents/mac/CMACVS.pdf
[18] The Galois/Counter Mode (GCM) and GMAC Validation System (GCMVS), National Institute of
Standards and Technology, Updated: August 30, 2012, [Web page],
http://csrc.nist.gov/groups/STM/cavp/documents/mac/gcmvs.pdf
[19] The XTS-AES Validation System (XTSVS), Updated: September 5, 2013, National Institute of
Standards and Technology, [Web page],
http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSVS.pdf
[20] The Key Wrap Validation System (KWVS), June 20, 2014, National Institute of Standards and
Technology, [Web page], http://csrc.nist.gov/groups/STM/cavp/documents/mac/KWVS.pdf
[21] The Secure Hash Algorithm Validation System (SHAVS), Updated: May 21, 2014, National Institute
of Standards and Technology, [Web page],
http://csrc.nist.gov/groups/STM/cavp/documents/shs/SHAVS.pdf
[22] The Keyed-Hash Message Authentication Code Validation System (HMACVS), Updated: July 23,
2012, National Institute of Standards and Technology, [Web page],
http://csrc.nist.gov/groups/STM/cavp/documents/mac/HMACVS.pdf
[23] Key Derivation using Pseudorandom Functions (SP 800-108) Validation System (KBKDFVS), Updated
January 4, 2016, National Institute of Standards and Technology, [Web page],
http://csrc.nist.gov/groups/STM/cavp/documents/KBKDF800-108/kbkdfvs.pdf
[24] The FIPS 186-4 Elliptic Curve Digital Signature Algorithm Validation System (ECDSA2VS), Updated:
March 18, 2014, National Institute of Standards and Technology, [Web page],
http://csrc.nist.gov/groups/STM/cavp/documents/dss2/ecdsa2vs.pdf
[25] The Key Agreement Schemes Validation System (KASVS), Updated May 22, 2014, National Institute
of Standards and Technology, [Web page],
http://csrc.nist.gov/groups/STM/cavp/documents/keymgmt/KASVS.pdf
[26] NIST Special Publication 800-63-2, Electronic Authentication Guideline, August 2013, National
Institute of Standards and Technology [Web page],
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
[27] NIST Special Publication 800-118, Guide to Enterprise Password Management (Draft), April 2009,
http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf
Page 44 of 44

Aula 15 Ay W 44 Fls

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aula 15 Ay W 44 Fls

Uploaded by

Copyright:

Available Formats

KeyW

Corporation Suite B Cryptographic Module FIPS 140-2 Non-Proprietary Security Policy

Suite B Cryptographic Module

1.3. FIPS 140-2 Security Levels

# FIPS 140-2 Section Level

2.1. Cryptographic Module Specification

2.1.1.1. NIST SP 800-132 Password-Based Key Derivation Function (PBKDF)

2.1.2. Modes of Operation

2.1.3. Cryptographic Boundary

2. The console displays the KEYWcryptoModule version as v3

2.2. Cryptographic Module Ports and Interfaces

FIPS 140-2 Interface Logical Interface

2.3. Roles, Services, and Authentication

2.4. Finite State Model

2.5. Physical Security

CMVP CAVP DRBG

2.7. Cryptographic Key Management

2.7.1. Key Zeroization

2.8. Electromagnetic Interference and Compatibility

2.9.1. Invoking Self-Tests

Dynamic Link Library (DLL) Default Entry Point

Shared Object (SO) Default Entry Point

2.9.2. Self-Tests Results

Self-Test Error Code

2.10. Design Assurance

2.11. Mitigation of Other Attacks

You might also like